Pandorhack: Stealing Pandora Passwords

On Sep 20, 2012, it was reported that
Pandora
keeps a copy of your cleartext password
in the persistent HTML5 local storage area for www.pandora.com.
I decided to investigate. I reverse-engineered their javascript code and found out
that Pandora merely obfuscates passwords with a single static encryption key
that is the same for everybody.
I wrote a javascript utility to demonstrate the vulnerability by decrypting Pandora passwords.
In other words, even after a user logs out
of Pandora, another user of this computer can access the local storage,
recover your password, and log back into pandora.com under your identity!
This is obviously an issue for shared computers (family computer, computer lab, internet
coffee shop, etc).

As of Sep 21, 10:20 UTC, some report that Pandora "fixed" the issue, but this is not true.
The form is not automatically populated anymore with the password, but the password
is still saved in the local storage.

As of Sep 21, 11:35 UTC, it appears that Pandora removes the password from local storage when logging off. Passwords can still be stolen if users do not explicitely log off.

"Pandorhack" decryption tool

The following javascript utility demonstrates the vulnerability by decrypting the piece of
local storage data to expose all the passwords it contains. Hopefully this will entice Pandora
to implement additional measures to protect their users' passwords.

First, access the local storage area
for www.pandora.com, key jStorage (in Google Chrome: Developer
Tools, Resources, Local Storage, www.pandora.com). Then copy and paste
the jStorage value into the text field below (I pre-populated it with an example).
And click Decrypt.
The output should expose passwords and other information such as user
ID, email address, etc, of all Pandora accounts who logged in using this browser.